4.3 Release Notes: New UI & Approval Workflow
This is a major Teleport release with a focus on new features, functionality, and bug fixes. It’s a substantial release and users can review 4.3 closed issues on Github for details of all items. We would love your feedback - please drop us a note, we’re always listening!
Teleport 4.3 includes a completely redesigned Web UI. The new Web UI expands the management functionality of a Teleport cluster and the user experience of using Teleport to make it easier and simpler to use. Teleport’s new terminal provides a quick jumping-off point to access nodes and nodes on other clusters via the web.
Teleport’s Web UI now exposes Teleport’s Audit log, letting auditors and administrators view Teleport access events, SSH events, recording session, and enhanced session recording all in one view.
Teleport 4.3 introduces four new plugins that work out of the box with Approval Workflow. These plugins allow you to automatically support role escalation with commonly used third party services. The built-in plugins are listed below.
- Added the ability for local users to reset their own passwords. #2387
- Added user impersonation (
kube_users)support to Kubernetes Proxy. #3369
- Added support for third party S3-compatible storage for sessions. #3057
- Added support for GCP backend data stores. #3766 #3014
- Added support for X11 forwarding to OpenSSH servers. #3401
- Added support for auth plugins in proxy
- Added support for OpenSSH-like escape sequence. #3752
teleport configureoutput to be more useful out of the box. #3429
- Updated ability to only show SSO on the login page. #2789
- Updated help and support section in Web UI. #3531
- Updated default SSH signing algorithm to SHA-512 for new clusters. #3777
- Standardized audit event fields.
- Fixed removing existing user definitions in kubeconfig. #3209
- Fixed an issue where port forwarding could fail in certain circumstances. #3749
- Fixed temporary role grants issue when forwarding Kubernetes requests. #3624
- Fixed an issue that prevented copy/paste in the web termination. #92
- Fixed an issue where the proxy did not test Kubernetes permissions at startup. #3812
- Fixed Vulnerabilities in Teleport Docker Image https://quay.io/repository/gravitational/teleport?tab=tags
- Moved SSO under Enterprise Section - link
- Documented Teleport Plugins - link
- Documented Kubernetes Role Mapping - link
Always follow the recommended upgrade procedure to upgrade to this version.
New Signing Algorithm
If you’re upgrading an existing version of Teleport, you may want to consider rotating CA to SHA-256 or SHA-512 for RSA SSH certificate signatures. The previous default was SHA-1, which is now considered to be weak against brute-force attacks. SHA-1 certificate signatures are also no longer accepted by OpenSSH versions 8.2 and above. All new Teleport clusters will default to SHA-512 based signatures. To upgrade an existing cluster, set the following in your
teleport: ca_signature_algo: "rsa-sha2-512"
Rotate the cluster CA, following these docs.
Due to the number of changes included in the redesigned Web UI, some URLs and functionality have shifted. Refer to the following ticket for more details. #3580
The minimum set of Kubernetes permissions that need to be granted to Teleport proxies has been updated. If you use the Kubernetes integration, please make sure that the ClusterRole used by the proxy has sufficient permissions.
Path prefix for etcd
The etcd backend now correctly uses the “prefix” config value when storing data. Upgrading from 4.2 to 4.3 will migrate the data as needed at startup. Make sure you follow our Teleport upgrade guidance. Note: If you use an etcd backend with a non-default prefix and need to downgrade from 4.3 to 4.2, you should backup Teleport data and restore it into the downgraded cluster.